Recent Posts

91

Other Discussion / Re: ELF files are confusing.

« Last post by fredericopissarra on August 14, 2023, 12:13:01 PM »

Yeah, I am probably confused. Should have stopped after "I don't know'"

Best,
Frank

Frank, I was talking about the "program headers" in the original post.

[]s
Fred

92

Other Discussion / Re: ELF files are confusing.

« Last post by Frank Kotler on August 13, 2023, 07:58:55 PM »

Thank you!

Frank

93

Other Discussion / Re: ELF files are confusing.

« Last post by vitsoft on August 13, 2023, 07:15:32 PM »

While ELF Sections are used by the linker, ELF Program Segments are used by the (dynamic) loader at the Linux program execution.
Section header tells where is the section's contents located in the file. This is used mostly at link-time.

Program segments instruct the loader at load-time about virtual address where should each segment be memory-mapped at, and what privileges should it be assigned (read,write,execute). See also ELF specification.

If you want to inspect ELF files in Windows, install Linux emulator WSL and use
readelf -aW ElfFile

94

Other Discussion / Re: ELF files are confusing.

« Last post by Frank Kotler on August 12, 2023, 04:01:43 AM »

Yeah, I am probably confused. Should have stopped after "I don't know'"

Best,
Frank

95

Other Discussion / Re: ELF files are confusing.

« Last post by fredericopissarra on August 11, 2023, 11:55:00 AM »

Aren't you confusing with "Program Header Table"?

In general, ELF is simplier then PE (and PE+).

96

Other Discussion / Re: ELF files are confusing.

« Last post by Frank Kotler on August 10, 2023, 01:57:33 AM »

Hi Ben,

I don't know. Where are you seeing this? Possibly 4k (usually) memory "pages"? If ypu can't dp anything  about it, I wouldn't worry about it.

Best,
Frank

 

97

Other Discussion / ELF files are confusing.

« Last post by ben321 on August 09, 2023, 11:16:11 PM »

While Windows PE EXE files just have named sections as defined by section headers, ELF files have named sections, but also something called "program segments", which are unnamed, and are defined by a separate table of headers called program headers. What's up with that?

98

Example Code / Re: My own 64-bit `puts' instruction (No length required)

« Last post by fredericopissarra on July 22, 2023, 07:10:09 PM »

That would return string length + 1....

Ops... sorry... my bad...

99

Example Code / Re: My own 64-bit `puts' instruction (No length required)

« Last post by munair on July 22, 2023, 03:38:17 PM »

So strlen could be implemented as:

Code: [Select]

; Same as: size_t strlen( const char * );
; the function assumes ALL strings will be NUL terminated.
strlen_:
  xor eax,eax
  lea ecx,[rax-1]   ; Limiting the string size to 2³²-1, max.
  mov rdx,rdi
  repnz scasb     ; Scan for '\0'...
  sub rdi,rdx
  mov rax,rdi     ; returns size in RAX.
  ret

That would return string length + 1. So alternatively:

Code: [Select]

    xor     eax, eax
    lea     ecx, [rax - 1]
    mov     rdx, rdi
    repnz   scasb
    sub     rdi, rdx
    ;mov     rax, rdi
    lea     rax, [rdi - 1]        ; not counting the null terminator


100

Example Code / Re: My own 64-bit `puts' instruction (No length required)

« Last post by fredericopissarra on July 22, 2023, 11:46:12 AM »

Maybe I'm not understanding how scas works, but isn't the result of scasb stored in rbx in 64-bit assembly? That's why I cleared it with XOR before using scasb and why I substracted it from rdi (which has starting address of string). I'm probably wrong here though.

SCASB reads from ES:RDI and compares with AL, affecting the flags, and updates RDI. With REP (or REPNZ) prefix it does RCX times while ZF=0 (hence the NZ). So strlen could be implemented as:

Code: [Select]

; Same as: size_t strlen( const char * );
; the function assumes ALL strings will be NUL terminated.
strlen_:
  xor eax,eax
  lea ecx,[rax-1]   ; Limiting the string size to 2³²-1, max.
  mov rdx,rdi
  repnz scasb     ; Scan for '\0'...
  sub rdi,rdx
  mov rax,rdi     ; returns size in RAX.
  ret

Wouldn't the assembler get confused if I used 64-bit syscalls on 32-bit registers? Or if I put some arguments of a syscall in R?? registers and others in E?? registers?

E?? registers are the lower part of R?? registers. And, in x86-64 mode, when you change E?? register the upper 32 bits of R?? register is automatically zeroed... Instructions using R?? registers need to insert an prefix (REX prefix), with E?? no prefix...

Wouldn't the assembler

Notice in my routine, if '\0' isn't found in a block of 2³²-1 bytes it returns -1 (all bits set) in RAX. This allows you to test an error:

... Wouldn't this event be highly unlikely though? ...

You are right!... It easier to assume the routine expects ALL strings to be zero terminated...